EP3580688B1 - Abstracted cryptographic material management across multiple service providers - Google Patents
Abstracted cryptographic material management across multiple service providers Download PDFInfo
- Publication number
- EP3580688B1 EP3580688B1 EP18750612.6A EP18750612A EP3580688B1 EP 3580688 B1 EP3580688 B1 EP 3580688B1 EP 18750612 A EP18750612 A EP 18750612A EP 3580688 B1 EP3580688 B1 EP 3580688B1
- Authority
- EP
- European Patent Office
- Prior art keywords
- key
- producing
- platforms
- consuming
- api
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 239000000463 material Substances 0.000 title claims description 34
- 238000000034 method Methods 0.000 claims description 22
- 238000004519 manufacturing process Methods 0.000 claims description 21
- 238000012546 transfer Methods 0.000 claims description 8
- 238000013507 mapping Methods 0.000 claims description 6
- 239000008186 active pharmaceutical agent Substances 0.000 claims 2
- 238000007726 management method Methods 0.000 description 31
- 238000003860 storage Methods 0.000 description 17
- 230000009471 action Effects 0.000 description 12
- 238000010586 diagram Methods 0.000 description 6
- 238000004364 calculation method Methods 0.000 description 5
- 230000006870 function Effects 0.000 description 5
- 238000012545 processing Methods 0.000 description 5
- 230000008901 benefit Effects 0.000 description 3
- 230000008859 change Effects 0.000 description 3
- 238000013500 data storage Methods 0.000 description 3
- 230000004048 modification Effects 0.000 description 3
- 238000012986 modification Methods 0.000 description 3
- 238000004891 communication Methods 0.000 description 2
- 238000004590 computer program Methods 0.000 description 2
- 230000014759 maintenance of location Effects 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 239000000284 extract Substances 0.000 description 1
- 230000008676 import Effects 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 230000002085 persistent effect Effects 0.000 description 1
- 230000008569 process Effects 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 238000012795 verification Methods 0.000 description 1
- 238000012800 visualization Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/06—Network architectures or network communication protocols for network security for supporting key management in a packet data network
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/06—Network architectures or network communication protocols for network security for supporting key management in a packet data network
- H04L63/062—Network architectures or network communication protocols for network security for supporting key management in a packet data network for key distribution, e.g. centrally by trusted party
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/02—Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0819—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0819—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
- H04L9/0822—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using key encryption key
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/088—Usage controlling of secret information, e.g. techniques for restricting cryptographic keys to pre-authorized uses, different access levels, validity of crypto-period, different key- or password length, or different strong and weak cryptographic algorithms
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0894—Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/14—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using a plurality of keys or algorithms
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/04—Key management, e.g. using generic bootstrapping architecture [GBA]
- H04W12/043—Key management, e.g. using generic bootstrapping architecture [GBA] using a trusted network node as an anchor
- H04W12/0431—Key distribution or pre-distribution; Key agreement
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/04—Key management, e.g. using generic bootstrapping architecture [GBA]
- H04W12/043—Key management, e.g. using generic bootstrapping architecture [GBA] using a trusted network node as an anchor
- H04W12/0433—Key management protocols
Definitions
- Cloud service providers offer cloud storage for data, encryption and decryption services, key production services, and even key management services.
- each of these services has an application programming interface (API) specific to that service.
- API application programming interface
- This situation burdens the user with the responsibility of learning each of these APIs and interacting with multiple service providers, with overhead for each addition of or change to a service, and each change in user needs.
- Key management services while addressing and alleviating some of this burden, still have APIs unique to different key management service providers. It is within this context that the embodiments arise.
- WO2016/145446A1 describes a system in which a management user interface transmits a request to a management request handler to manage encryption keys.
- a processor-based method for cryptographic material management includes receiving into a computing device, through an application programming interface (API) of the computing device, a designation of which of a plurality of key-producing cloud services or key-producing platforms sources each of a plurality of keys and which of a plurality of key-consuming cloud service providers or key-consuming platforms uses each of the plurality of keys for encrypting or decrypting data.
- the method includes directing, from the computing device through a first plurality of end modules each interfaced to a specific API of a specific one of the plurality of key-producing cloud services or key-producing platforms, production of one or more of the plurality of keys.
- the method includes directing, from the computing device through a second plurality of end modules each interfaced to a specific API of a specific one of the plurality of key-consuming cloud service providers or key-consuming platforms, usage of one or more of the plurality of keys.
- the method is captured on a computer readable medium.
- a cryptographic material management system includes a server, having physical computing resources or virtualized using physical computing resources, configurable to present an application programming interface (API) that supports user designation of which of a plurality of key-producing cloud services or key-producing platforms generates each of a plurality of keys and which of a plurality of key-consuming cloud service providers or key-consuming platforms uses each of the plurality of keys for encrypting or decrypting data.
- API application programming interface
- one form of encrypting/decrypting data may include signature and verification. It should be appreciated that the key producing services may also be run on premise as the service is not limited to a cloud based service.
- the server includes a first plurality of end modules each configurable to interface to a specific API of a specific one of the plurality of key-producing cloud services or key-producing platforms to direct production of one or more of the plurality of keys.
- the server includes a second plurality of end modules each configurable to interface to a specific API of a specific one of the plurality of key-consuming cloud service providers or key-consuming platforms to direct usage of one or more of the plurality of keys.
- a cryptographic material management system described herein manages cryptographic material across multiple service providers and platforms.
- the system provides cloud key management capabilities, among other capabilities. While some embodiments refer to a cloud based key producing service, this is not meant to be limiting as the key producing service may also be run on premise.
- a server presents an application programming interface (API) to a client device or user, and interfaces to various APIs of cloud service providers and platforms through end modules specific to the APIs.
- the server manages authentication, naming, policies and cryptographic key handling including key wrapping and transfers, across the service providers and platforms as directed by the client device or user.
- API application programming interface
- Fig. 1 is a system diagram of a cryptographic material management system that interfaces to application programming interfaces (APIs) 112 of key-producing cloud services, key-producing platforms 134, key-consuming cloud services 130 and/or key-consuming platforms 138.
- Cryptographic keys 142 and encrypted data are managed as cryptographic material.
- a user accesses an API 112 of the server 104, for example through a client device 142 coupled to a network 102 such as the global communication network known as the Internet and depicted in Fig. 1 as a cloud.
- the user or client device 142 makes various selections or entries (see Fig. 3C example API) for sources of keys, usage of keys, encryption, decryption and storage of data, all through the common interface provided by the server 104.
- various end modules 106 in the server 104 for key-producing, interface to APIs 112 of key-producing services 128 in cloud service providers 124 and/or APIs 112 of key-producing platforms 134 that are coupled to the network 102.Through these end modules 106 for key-producing, the server directs the key-producing services 128 and/or key-producing platforms 134 to generate or otherwise produce keys 142.
- a data structure 114, policies 116, a mapping module 118, an authentication module 120 and a naming module 122 are used for various functions in the management of cryptographic material, as described below in example scenarios.
- Each end module 106, 108, the mapping module 118, the authentication module 120 and the naming module 122 can be implemented in hardware, firmware, software executing on the processor 110 or combination thereof.
- the data structure 114 can be implemented in memory, or otherwise accessible by the processor, as can the policies 116.
- the server 104 can be implemented as a physical device or as a virtualized device using physical computing resources in some embodiments.
- the server 104 directs multiple key-producing services 128 and/or key-producing platforms 134 to generate multiple keys 142, and transfer the keys 142 to multiple key-consuming services 130 and/or key-consuming platforms 138.
- the server 104 directs these key-consuming services 130 and/or key-consuming platforms 138 to use the keys 142 for encryption and decryption 144 of data, which is directed to be stored in the storages 132 of the key-consuming services 130, storages 132 of key-consuming platforms 138 and/or cloud storage 136.
- the server 104 accesses and consults various policies 116.
- the policies 116 could specify which keys are produced by which providers or platforms and which keys are used by which providers or platforms, or could specify which keys can be used by which users, etc.
- the server 104 uses the mapping module 118 to map keys and data to providers and platforms, storing the results of the mapping in the data structure 114. Keys are not required to be produced and used in a one-to-one relationship, and can be reused, shared, etc. Keys 142, various services, origins and destinations for keys and data, and other entities or actions, i.e., resources imported from services or platforms, may use existing names or be given or otherwise assigned names by the naming module 122. Providers, platforms and users are authenticated by the authentication module 122. In some versions, the server 104 authenticates to the providers and/or platforms.
- keys 142 can be managed by a key management service 140 through an API 112 in some embodiments. Keys 142 could be transferred directly from key-producing services 128 or key-producing platforms 134, to the key-consuming services 130 or key-consuming platforms 138. Or, keys could be transferred to a key management service 140 by the key-producing services 128 and key-producing platform 134, stored in the key management service 140, then deployed to the key-consuming services 130 and key-consuming platforms 138 on an as-needed basis. Instead, keys could be stored in the server 104, for example in the data structure 114 or elsewhere in memory. Alternatively, a key repository could be designated, or the keys could be stored in the client device 142. Further locations for storing keys are readily devised in keeping with the teachings herein.
- key-producing service 128 and key-consuming service 130 could be hosted by the same cloud service provider. It is also possible that key-producing platforms 134 (e.g., integrated circuits, circuit boards, boxes or other devices) or key-consuming platforms 138 (e.g., similar) could be local to the server 104, or remote from the server 104 but accessible through the network 102.
- key-producing platforms 134 e.g., integrated circuits, circuit boards, boxes or other devices
- key-consuming platforms 138 e.g., similar
- Fig. 2 is a block diagram of an end module 202 suitable for use in the cryptographic material management system of Fig. 1 .
- each of the end modules 106 for key-producing, and each of the end modules 108 for key-consuming could have some or all of the features, or be a variation, of the end module 202.
- Each end module 202 is specific to an API 112 of one of the services or platforms. Updates or upgrades to the cryptographic material management system could include new modules, for new services or platforms as these become available, and revisions to existing modules as services or platforms change.
- the end module 202 has an API interface 204 specific to an API 112, an authentication handling module 206, a parameter handling module 208, a command generator 210 for a command line interface, and/or a field extractor and field populator 212, for a web interface.
- the authentication handling module 206 directs authentication to, or authentication of, the service or platform represented by the API to which the API interface 204 couples. Parameters are extracted or inserted through the parameter handling module 208 into or out of the API of the service or platform. If the API of the service or platform has a command line interface, the command generator module 210 produces commands for the command line interface, in cooperation with the parameter handling module 208.
- the field extractor and field populator module 212 extracts parameters from the webpage or populates parameters into the webpage (e.g., writes parameters to fields or makes selections in the webpage), through cooperation with the parameter handling module 208.
- Fig. 3A is an example of an API of a key-producing cloud service.
- This API is presented through a webpage 302 from a cloud service provider 124 that has a key-producing service 128.
- a title announces the cloud service provider name 304.
- fields are shown in the webpage 302 for entry of logon ID 306 and password 308.
- Key generation requests 310 have fields for entry of a name 312, and one or more destinations 314 for the key. If it is desired the key be wrapped (e.g., encrypted by another key), a key wrapping selection 316 is made. Fields for key name 312, destination(s) 314 and key wrapping selection 316 are repeated for multiple keys.
- Options 318 are offered, such as to send all keys to a key repository 320, or to enable a key management system 322.
- an end module 106 for key-producing interfaces to the API presented by a cloud service through the webpage 302 of Fig. 3A in the server 104 an end module 106 for key-producing interfaces to the API presented by a cloud service through the webpage 302 of Fig. 3A .
- the API could be presented through a command line interface, or could include a command line interface as part of the webpage 302.
- the above example could also serve for a key-producing platform 134. Further variations (e.g., with different menu styles, offerings, options, etc.) are readily devised.
- Fig. 3B is an example of an API of a key-consuming cloud service.
- this API is presented through a webpage 302, but from a cloud service provider 124 that has a key-consuming service 130.
- a title announces the cloud service provider name 304, and fields are available for entry of logon ID 306 and password 308.
- Fields are presented for providing a key 324, selecting a service tier 328, selecting a type of storage 330, and selecting or entering to which users the key and associated encryption/decryption are applied, for multiple keys and users.
- Other fields and options could be present in variations.
- the above example could also serve for a key-consuming platform 138.
- Fig. 3C is an example of an API for cryptographic material management through the cryptographic material management system of Fig. 1 .
- This API is seen, for example, by the client device 142 when coupled through the network 102 to the server 104 in order to manage cryptographic material in the system.
- Types of functions available through the API could include import key, grab key, map key, get key from, store key at, transfer key to, send key to, wrap key, name key, etc.
- the user or client device 142 logs onto the webpage 302 (i.e., authenticates to the server 104), by entering a logon ID 306 and password 308.
- the user or client device 142 By selecting or entering in fields for users 332, keys 336 and services 334, 338, 340, the user or client device 142 indicates that the data for selected users is encrypted by selected services using keys from selected services and stored by selected services. Key storage options are available, and the keys can be stored at the server 342, a key repository 344, or a key management service 346, as indicated at these fields. Variations on the above API are readily devised. In some versions, the policies 116 (see Fig. 1 ) are developed from information entered through the API, and in other versions the policies 116 are edited or uploaded separately.
- Fig. 4 is a flow diagram of a method of cryptographic material management, which can be practiced using the cryptographic material management system of Fig. 1 , and variations thereof.
- the method can be practiced by a processor, more specifically by a processor of the server 104.
- the server presents an API to the client device, in an action 402.
- the server receives an indication through the API, from the client device, of key production and key consumption.
- the client device or more specifically the user through the client device, could make various selections in the webpage shown in Fig. 3C or variation thereof, to indicate, designate or direct how the cryptographic material is to be managed.
- policies are consulted.
- policies which are uploaded to the server or created interactively with the user or the client device, govern the cryptographic material management.
- names are assigned to keys and services. This could be done interactively with the user or client device, or automatically by the naming module of the server.
- key production, key usage and key ownership are mapped in a data structure, e.g., in or accessible by the server.
- authentication is performed with the key producing and key consuming services and platforms. The server 104 automates this process through respective end modules and APIs.
- key production is directed through APIs of key-producing cloud services and or key-producing platforms.
- a suitable API is depicted in Fig. 3A .
- key usage is directed through APIs of key-consuming cloud services and/or key-consuming platforms.
- a suitable API is depicted in Fig. 3B .
- Key wrapping and key transfers are coordinated, in an action 418.
- the server directs key transfers and optional key wrapping through the various APIs, in accordance with user selection and/or policies. Status and summary are reported to the client device through the API, in an action 420.
- Fig. 5 is an illustration showing an exemplary computing device which may implement the embodiments described herein.
- the computing device of Fig. 5 may be used to perform embodiments of the functionality for cryptographic material management in accordance with some embodiments.
- the computing device includes a central processing unit (CPU) 501, which is coupled through a bus 505 to a memory 503, and mass storage device 507.
- Mass storage device 507 represents a persistent data storage device such as a floppy disc drive or a fixed disc drive, which may be local or remote in some embodiments.
- the mass storage device 507 could implement a backup storage, in some embodiments.
- Memory 503 may include read only memory, random access memory, etc.
- Applications resident on the computing device may be stored on or accessed via a computer readable medium such as memory 503 or mass storage device 507 in some embodiments. Applications may also be in the form of modulated electronic signals modulated accessed via a network modem or other network interface of the computing device.
- CPU 501 may be embodied in a general-purpose processor, a special purpose processor, or a specially programmed logic device in some embodiments.
- Display 511 is in communication with CPU 501, memory 503, and mass storage device 507, through bus 505. Display 511 is configured to display any visualization tools or reports associated with the system described herein. Input/output device 509 is coupled to bus 505 in order to communicate information in command selections to CPU 501. It should be appreciated that data to and from external devices may be communicated through the input/output device 509.
- CPU 501 can be defined to execute the functionality described herein to enable the functionality described with reference to Figs. 1-4 .
- the code embodying this functionality may be stored within memory 503 or mass storage device 507 for execution by a processor such as CPU 501 in some embodiments.
- the operating system on the computing device may be i0Srim, MS-WINDOWSTM, OS/2TM, UNIXTM, LINUXTm, or other known operating systems. It should be appreciated that the embodiments described herein may also be integrated with a virtualized computing system that is implemented with physical computing resources.
- first, second, etc. may be used herein to describe various steps or calculations, these steps or calculations should not be limited by these terms. These terms are only used to distinguish one step or calculation from another. For example, a first calculation could be termed a second calculation, and, similarly, a second step could be termed a first step, without departing from the scope of this disclosure.
- the term "and/or" and the "/" symbol includes any and all combinations of one or more of the associated listed items.
- the embodiments might employ various computer-implemented operations involving data stored in computer systems. These operations are those requiring physical manipulation of physical quantities. Usually, though not necessarily, these quantities take the form of electrical or magnetic signals capable of being stored, transferred, combined, compared, and otherwise manipulated. Further, the manipulations performed are often referred to in terms, such as producing, identifying, determining, or comparing. Any of the operations described herein that form part of the embodiments are useful machine operations.
- the embodiments also relate to a device or an apparatus for performing these operations.
- the apparatus can be specially constructed for the required purpose, or the apparatus can be a general-purpose computer selectively activated or configured by a computer program stored in the computer.
- various general-purpose machines can be used with computer programs written in accordance with the teachings herein, or it may be more convenient to construct a more specialized apparatus to perform the required operations.
- a module, an application, a layer, an agent or other method-operable entity could be implemented as hardware, firmware, or a processor executing software, or combinations thereof. It should be appreciated that, where a software-based embodiment is disclosed herein, the software can be embodied in a physical machine such as a controller. For example, a controller could include a first module and a second module. A controller could be configured to perform various actions, e.g., of a method, an application, a layer or an agent.
- the embodiments can also be embodied as computer readable code on a tangible non-transitory computer readable medium.
- the computer readable medium is any data storage device that can store data, which can be thereafter read by a computer system. Examples of the computer readable medium include hard drives, network attached storage (NAS), read-only memory, random-access memory, CD-ROMs, CD-Rs, CD-RWs, magnetic tapes, and other optical and non-optical data storage devices.
- the computer readable medium can also be distributed over a network coupled computer system so that the computer readable code is stored and executed in a distributed fashion.
- Embodiments described herein may be practiced with various computer system configurations including hand-held devices, tablets, microprocessor systems, microprocessor-based or programmable consumer electronics, minicomputers, mainframe computers and the like.
- the embodiments can also be practiced in distributed computing environments where tasks are performed by remote processing devices that are linked through a wire-based or wireless network.
- resources may be provided over the Internet as services according to one or more various models.
- models may include Infrastructure as a Service (laaS), Platform as a Service (PaaS), and Software as a Service (SaaS).
- laaS Infrastructure as a Service
- PaaS Platform as a Service
- SaaS Software as a Service
- IaaS computer infrastructure is delivered as a service.
- the computing equipment is generally owned and operated by the service provider.
- software tools and underlying equipment used by developers to develop software solutions may be provided as a service and hosted by the service provider.
- SaaS typically includes a service provider licensing software as a service on demand. The service provider may host the software, or may deploy the software to a customer for a given period of time. Numerous combinations of the above models are possible and are contemplated.
- Various units, circuits, or other components may be described or claimed as “configured to” or “configurable to” perform a task or tasks.
- the phrase “configured to” or “configurable to” is used to connote structure by indicating that the units/circuits/components include structure (e.g., circuitry) that performs the task or tasks during operation.
- the unit/circuit/component can be said to be configured to perform the task, or configurable to perform the task, even when the specified unit/circuit/component is not currently operational (e.g., is not on).
- the units/circuits/components used with the "configured to” or “configurable to” language include hardware--for example, circuits, memory storing program instructions executable to implement the operation, etc. Reciting that a unit/circuit/component is “configured to” perform one or more tasks, or is “configurable to” perform one or more tasks, is expressly intended not to invoke 35 U.S.C. 112, sixth paragraph, for that unit/circuit/component. Additionally, "configured to" or “configurable to” can include generic structure (e.g., generic circuitry) that is manipulated by software and/or firmware (e.g., an FPGA or a general-purpose processor executing software) to operate in manner that is capable of performing the task(s) at issue.
- generic structure e.g., generic circuitry
- firmware e.g., an FPGA or a general-purpose processor executing software
- Configured to may also include adapting a manufacturing process (e.g., a semiconductor fabrication facility) to fabricate devices (e.g., integrated circuits) that are adapted to implement or perform one or more tasks.
- a manufacturing process e.g., a semiconductor fabrication facility
- devices e.g., integrated circuits
- Configurable to is expressly intended not to apply to blank media, an unprogrammed processor or unprogrammed generic computer, or an unprogrammed programmable logic device, programmable gate array, or other unprogrammed device, unlessaccompanied by programmed media that confers the ability to the unprogrammed device to be configured to perform the disclosed function(s).
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Stored Programmes (AREA)
- Storage Device Security (AREA)
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
Description
- This application claims the benefit under 35 U.S.C. § 119(e) of
U.S. Patent Application No. 15/472,065 filed on 28 March 2017 U.S.Provisional Application 62/458,269 filed on 13 February 2017 - Cloud service providers offer cloud storage for data, encryption and decryption services, key production services, and even key management services. Usually, each of these services has an application programming interface (API) specific to that service. This situation burdens the user with the responsibility of learning each of these APIs and interacting with multiple service providers, with overhead for each addition of or change to a service, and each change in user needs. Key management services, while addressing and alleviating some of this burden, still have APIs unique to different key management service providers. It is within this context that the embodiments arise.
- The document
WO2016/145446A1 describes a system in which a management user interface transmits a request to a management request handler to manage encryption keys. - In some embodiments, a processor-based method for cryptographic material management is provided. The method includes receiving into a computing device, through an application programming interface (API) of the computing device, a designation of which of a plurality of key-producing cloud services or key-producing platforms sources each of a plurality of keys and which of a plurality of key-consuming cloud service providers or key-consuming platforms uses each of the plurality of keys for encrypting or decrypting data. The method includes directing, from the computing device through a first plurality of end modules each interfaced to a specific API of a specific one of the plurality of key-producing cloud services or key-producing platforms, production of one or more of the plurality of keys. The method includes directing, from the computing device through a second plurality of end modules each interfaced to a specific API of a specific one of the plurality of key-consuming cloud service providers or key-consuming platforms, usage of one or more of the plurality of keys. In some embodiments, the method is captured on a computer readable medium.
- In some embodiments, a cryptographic material management system is provided. The system includes a server, having physical computing resources or virtualized using physical computing resources, configurable to present an application programming interface (API) that supports user designation of which of a plurality of key-producing cloud services or key-producing platforms generates each of a plurality of keys and which of a plurality of key-consuming cloud service providers or key-consuming platforms uses each of the plurality of keys for encrypting or decrypting data. In some embodiments, one form of encrypting/decrypting data may include signature and verification. It should be appreciated that the key producing services may also be run on premise as the service is not limited to a cloud based service. The server includes a first plurality of end modules each configurable to interface to a specific API of a specific one of the plurality of key-producing cloud services or key-producing platforms to direct production of one or more of the plurality of keys. The server includes a second plurality of end modules each configurable to interface to a specific API of a specific one of the plurality of key-consuming cloud service providers or key-consuming platforms to direct usage of one or more of the plurality of keys.
- Other aspects and advantages of the embodiments will become apparent from the following detailed description taken in conjunction with the accompanying drawings which illustrate, by way of example, the principles of the described embodiments.
- The described embodiments and the advantages thereof may best be understood by reference to the following description taken in conjunction with the accompanying drawings. These drawings in no way limit any changes in form and detail that may be made to the described embodiments by one skilled in the art.
-
Fig. 1 is a system diagram of a cryptographic material management system that interfaces to application programming interfaces (APIs) of key-producing cloud services, key-producing platforms, key-consuming cloud services and/or key-consuming platforms in accordance with some embodiments. -
Fig. 2 is a block diagram of an end module suitable for use in the cryptographic material management system ofFig. 1 in accordance with some embodiments. -
Fig. 3A is an example of an API of a key-producing cloud service in accordance with some embodiments. -
Fig. 3B is an example of an API of a key-consuming cloud service in Accordance with some embodiments. -
Fig. 3C is an example of an API for cryptographic material management through the cryptographic material management system ofFig. 1 in accordance with some embodiments. -
Fig. 4 is a flow diagram of a method of cryptographic material management, which can be practiced using the cryptographic material management system ofFig. 1 , and variations thereof in accordance with some embodiments. -
Fig. 5 is an illustration showing an exemplary computing device which may implement the embodiments described herein. - A cryptographic material management system described herein manages cryptographic material across multiple service providers and platforms. The system provides cloud key management capabilities, among other capabilities. While some embodiments refer to a cloud based key producing service, this is not meant to be limiting as the key producing service may also be run on premise. A server presents an application programming interface (API) to a client device or user, and interfaces to various APIs of cloud service providers and platforms through end modules specific to the APIs. The server manages authentication, naming, policies and cryptographic key handling including key wrapping and transfers, across the service providers and platforms as directed by the client device or user. It should be appreciated that this frees up the user from having to learn all of the APIs of all of the cloud service providers and platforms, so that the user can make selections and give directions for key production and key usage through the API of the server. Customers of service providers can thus provision and control cryptographic material across multiple providers to maintain control of what data, services, and material is utilized in the
infrastructure of each service, through a common interface. No modification is required of cryptographic service providers, and the system accommodates each provider individually. -
Fig. 1 is a system diagram of a cryptographic material management system that interfaces to application programming interfaces (APIs) 112 of key-producing cloud services, key-producingplatforms 134, key-consumingcloud services 130 and/or key-consuming platforms 138.Cryptographic keys 142 and encrypted data are managed as cryptographic material. To use the system for managing cryptographic material, a user accesses anAPI 112 of theserver 104, for example through aclient device 142 coupled to anetwork 102 such as the global communication network known as the Internet and depicted inFig. 1 as a cloud. Through theAPI 112 of theserver 104, the user (or client device 142) makes various selections or entries (seeFig. 3C example API) for sources of keys, usage of keys, encryption, decryption and storage of data, all through the common interface provided by theserver 104. - Still referring to
Fig. 1 ,various end modules 106 in theserver 104, for key-producing, interface toAPIs 112 of key-producingservices 128 incloud service providers 124 and/orAPIs 112 of key-producingplatforms 134 that are coupled to the network 102.Through theseend modules 106 for key-producing, the server directs the key-producingservices 128 and/or key-producingplatforms 134 to generate or otherwise producekeys 142.Various end modules 108 in theserver 104, for key-consuming, interface toAPIs 112 of key-consuming services 130 incloud service providers 126 and/orAPIs 112 of key-consumingplatforms 138 that are coupled to thenetwork 102. The server directs usage of keys by the key-consuming services 130 and/or key-consuming platforms 138 through theseend modules 108 for key-consuming. - In the
server 104 ofFig. 1 , adata structure 114,policies 116, amapping module 118, anauthentication module 120 and anaming module 122 are used for various functions in the management of cryptographic material, as described below in example scenarios. Eachend module mapping module 118, theauthentication module 120 and thenaming module 122 can be implemented in hardware, firmware, software executing on theprocessor 110 or combination thereof. Thedata structure 114 can be implemented in memory, or otherwise accessible by the processor, as can thepolicies 116. Theserver 104 can be implemented as a physical device or as a virtualized device using physical computing resources in some embodiments. - Continuing with
Fig. 1 , as one example scenario, theserver 104 directs multiple key-producingservices 128 and/or key-producingplatforms 134 to generatemultiple keys 142, and transfer thekeys 142 to multiple key-consuming services 130 and/or key-consuming platforms 138. Theserver 104 directs these key-consuming services 130 and/or key-consumingplatforms 138 to use thekeys 142 for encryption anddecryption 144 of data, which is directed to be stored in thestorages 132 of the key-consuming services 130,storages 132 of key-consumingplatforms 138 and/orcloud storage 136. To ensure that the production and usage ofkeys 142 and storage of data is as desired by the user, theserver 104 accesses and consultsvarious policies 116. For example, thepolicies 116 could specify which keys are produced by which providers or platforms and which keys are used by which providers or platforms, or could specify which keys can be used by which users, etc. To track keys and
encrypted data, theserver 104 uses themapping module 118 to map keys and data to providers and platforms, storing the results of the mapping in thedata structure 114. Keys are not required to be produced and used in a one-to-one relationship, and can be reused, shared, etc.Keys 142, various services, origins and destinations for keys and data, and other entities or actions, i.e., resources imported from services or platforms, may use existing names or be given or otherwise assigned names by thenaming module 122. Providers, platforms and users are authenticated by theauthentication module 122. In some versions, theserver 104 authenticates to the providers and/or platforms. - As another example scenario with reference to
Fig. 1 ,keys 142 can be managed by akey management service 140 through anAPI 112 in some embodiments.Keys 142 could be transferred directly from key-producingservices 128 or key-producingplatforms 134, to the key-consumingservices 130 or key-consumingplatforms 138. Or, keys could be transferred to akey management service 140 by the key-producingservices 128 and key-producingplatform 134, stored in thekey management service 140, then deployed to the key-consumingservices 130 and key-consumingplatforms 138 on an as-needed basis. Instead, keys could be stored in theserver 104, for example in thedata structure 114 or elsewhere in memory. Alternatively, a key repository could be designated, or the keys could be stored in theclient device 142. Further locations for storing keys are readily devised in keeping with the teachings herein. - It is possible a key-producing
service 128 and key-consumingservice 130 could be hosted by the same cloud service provider. It is also possible that key-producing platforms 134 (e.g., integrated circuits, circuit boards, boxes or other devices) or key-consuming platforms 138 (e.g., similar) could be local to theserver 104, or remote from theserver 104 but accessible through thenetwork 102. Further scenarios with re-encryption, double encryption, decryption at one location and encryption at another location, encryption or decryption at theclient device 142, encryption or decryption at theserver 104, the key-producingservice 128, key-producingplatform 134, key-consumingservice 130, key-consumingplatform 138,cloud storage 136,key management service 140, etc., are envisioned and readily developed in keeping with the teachings herein. -
Fig. 2 is a block diagram of anend module 202 suitable for use in the cryptographic material management system ofFig. 1 . For example, each of theend modules 106 for key-producing, and each of theend modules 108 for key-consuming could have some or all of the features, or be a variation, of theend module 202. Eachend module 202 is specific to anAPI 112 of one of the services or platforms. Updates or upgrades to the cryptographic material management system could include new modules, for new services or platforms as these become available, and revisions to existing modules as services or platforms change. - In various embodiments, the
end module 202 has anAPI interface 204 specific to anAPI 112, anauthentication handling module 206, aparameter handling module 208, acommand generator 210 for a command line interface, and/or a field extractor andfield populator 212, for a web interface. Theauthentication handling module 206 directs authentication to, or authentication of, the service or platform represented by the API to which theAPI interface 204 couples. Parameters are extracted or inserted through theparameter handling module 208 into or out of the API of the service or platform. If the API of the service or platform has a command line interface, thecommand generator module 210 produces commands for the command line interface, in cooperation with theparameter handling module 208. If the API of the service or platform has a webpage interface, the field extractor andfield populator module 212 extracts parameters from the webpage or populates parameters into the webpage (e.g., writes parameters to fields or makes selections in the webpage), through cooperation with theparameter handling module 208. -
Fig. 3A is an example of an API of a key-producing cloud service. This API is presented through awebpage 302 from acloud service provider 124 that has a key-producingservice 128. In thewebpage 302, a title announces the cloudservice provider name 304. For authentication, fields are shown in thewebpage 302 for entry oflogon ID 306 andpassword 308. Key generation requests 310 have fields for entry of aname 312, and one ormore destinations 314 for the key. If it is desired the key be wrapped (e.g., encrypted by another key), akey wrapping selection 316 is made. Fields forkey name 312, destination(s) 314 andkey wrapping selection 316 are repeated for multiple keys.Options 318 are offered, such as to send all keys to akey repository 320, or to enable akey management system 322. Referring back toFig. 1 , in theserver 104 anend module 106 for key-producing interfaces to the API presented by a cloud service through thewebpage 302 ofFig. 3A . In a variation, the API could be presented through a command line interface, or could include a command line interface as part of thewebpage 302. The above example could also serve for a key-producingplatform 134. Further variations (e.g., with different menu styles, offerings, options, etc.) are readily devised. -
Fig. 3B is an example of an API of a key-consuming cloud service. Likewise, this API is presented through awebpage 302, but from acloud service provider 124 that has a key-consumingservice 130. Similarly, in thiswebpage 302, a title announces the cloudservice provider name 304, and fields are available for entry oflogon ID 306 andpassword 308. Fields are presented for providing a key 324, selecting aservice tier 328, selecting a type ofstorage 330, and selecting or entering to which users the key and associated encryption/decryption are applied, for multiple keys and users. Other fields and options could be present in variations. Referring back toFig. 1 , in theserver 104 anend module 108 for key-consuming interfaces to the API presented by a cloud service through thewebpage 302 ofFig. 3B . The above example could also serve for a key-consumingplatform 138. -
Fig. 3C is an example of an API for cryptographic material management through the cryptographic material management system ofFig. 1 . This API is seen, for example, by theclient device 142 when coupled through thenetwork 102 to theserver 104 in order to manage cryptographic material in the system. Types of functions available through the API could include import key, grab key, map key, get key from, store key at, transfer key to, send key to, wrap key, name key, etc. The user orclient device 142 logs onto the webpage 302 (i.e., authenticates to the server 104), by entering alogon ID 306 andpassword 308. By selecting or entering in fields forusers 332,keys 336 andservices client device 142 indicates that the data for selected users is encrypted by selected services using keys from selected services and stored by selected services. Key storage options are available, and the keys can be stored at theserver 342, akey repository 344, or akey management service 346, as indicated at these fields. Variations on the above API are readily
devised. In some versions, the policies 116 (seeFig. 1 ) are developed from information entered through the API, and in other versions thepolicies 116 are edited or uploaded separately. -
Fig. 4 is a flow diagram of a method of cryptographic material management, which can be practiced using the cryptographic material management system ofFig. 1 , and variations thereof. The method can be practiced by a processor, more specifically by a processor of theserver 104. The server presents an API to the client device, in anaction 402. In anaction 404, the server receives an indication through the API, from the client device, of key production and key consumption. For example, the client device, or more specifically the user through the client device, could make various selections in the webpage shown inFig. 3C or variation thereof, to indicate, designate or direct how the cryptographic material is to be managed. In anaction 406, policies are consulted. These policies, which are uploaded to the server or created interactively with the user or the client device, govern the cryptographic material management. In anaction 408, names are assigned to keys and services. This could be done interactively with the user or client device, or automatically by the naming module of the server. In anaction 410, key production, key usage and key ownership are mapped in a data structure, e.g., in or accessible by the server. In anaction 412, authentication is performed with the key producing and key consuming services and platforms. Theserver 104 automates this process through respective end modules and APIs. - Still referring to
Fig. 4 , in anaction 414, key production is directed through APIs of key-producing cloud services and or key-producing platforms. A suitable API is depicted inFig. 3A . In anaction 416, key usage is directed through APIs of key-consuming cloud services and/or key-consuming platforms. A suitable API is depicted inFig. 3B . Key wrapping and key transfers are coordinated, in anaction 418. The server directs key transfers and optional key wrapping through the various APIs, in accordance with user selection and/or policies. Status and summary are reported to the client device through the API, in anaction 420. - It should be appreciated that the methods described herein may be performed with a digital processing system, such as a conventional, general-purpose computer system. Special purpose computers, which are designed or programmed to perform only one function may be used in the alternative.
Fig. 5 is an illustration showing an exemplary computing device which may implement the embodiments described herein. The computing device ofFig. 5 may be used to perform embodiments of the functionality for cryptographic material management in accordance with some embodiments. The computing device includes a central processing unit (CPU) 501, which is coupled through abus 505 to amemory 503, andmass storage device 507.Mass storage device 507 represents a persistent data storage device such as a floppy disc drive or a fixed disc drive, which may be local or remote in some embodiments. Themass storage device 507 could implement a backup storage, in some embodiments.Memory 503 may include read only memory, random access memory, etc. Applications resident on the computing device may be stored on or accessed via a computer readable medium such asmemory 503 ormass storage device 507 in some embodiments. Applications may also be in the form of modulated electronic signals modulated accessed via a network modem or other network interface of the computing device. It should be appreciated thatCPU 501 may be embodied in a general-purpose processor, a special purpose processor, or a specially programmed logic device in some embodiments. -
Display 511 is in communication withCPU 501,memory 503, andmass storage device 507, throughbus 505.Display 511 is configured to display any visualization tools or reports associated with the system described herein. Input/output device 509 is coupled tobus 505 in order to communicate information in command selections toCPU 501. It should be appreciated that data to and from external devices may be communicated through the input/output device 509.CPU 501 can be defined to execute the functionality described herein to enable the functionality described with reference toFigs. 1-4 . The code embodying this functionality may be stored withinmemory 503 ormass storage device 507 for execution by a processor such asCPU 501 in some embodiments. The operating system on the computing device may be i0Srim, MS-WINDOWSTM, OS/2TM, UNIXTM, LINUXTm, or other known operating systems. It should be appreciated that the embodiments described herein may also be integrated with a virtualized computing system that is implemented with physical computing resources. - Detailed illustrative embodiments are disclosed herein. However, specific functional details disclosed herein are merely representative for purposes of describing embodiments. Embodiments may, however, be embodied in many alternate forms and should not be construed as limited to only the embodiments set forth herein.
- It should be understood that although the terms first, second, etc. may be used herein to describe various steps or calculations, these steps or calculations should not be limited by these terms. These terms are only used to distinguish one step or calculation from another. For example, a first calculation could be termed a second calculation, and, similarly, a second step could be termed a first step, without departing from the scope of this disclosure. As used herein, the term "and/or" and the "/" symbol includes any and all combinations of one or more of the associated listed items.
- As used herein, the singular forms "a", "an" and "the" are intended to include The plural forms as well, unless the context clearly indicates otherwise. It will be further understood that the terms "comprises", "comprising", "includes", and/or "including", when used herein, specify the presence of stated features, integers, steps, operations, elements, and/or components, but do not preclude the presence or addition of one or more other features, integers, steps, operations, elements, components, and/or groups thereof. Therefore, the terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting.
- It should also be noted that in some alternative implementations, the functions/acts noted may occur out of the order noted in the figures. For example, two figures shown in succession may in fact be executed substantially concurrently or may sometimes be executed in the reverse order, depending upon the functionality/acts involved.
- With the above embodiments in mind, it should be understood that the embodiments might employ various computer-implemented operations involving data stored in computer systems. These operations are those requiring physical manipulation of physical quantities. Usually, though not necessarily, these quantities take the form of electrical or magnetic signals capable of being stored, transferred, combined, compared, and otherwise manipulated. Further, the manipulations performed are often referred to in terms, such as producing, identifying, determining, or comparing. Any of the operations described herein that form part of the embodiments are useful machine operations. The embodiments also relate to a device or an apparatus for performing these operations. The apparatus can be specially constructed for the required purpose, or the apparatus can be a general-purpose computer selectively activated or configured by a computer program stored in the computer. In particular, various general-purpose machines can be used with computer
programs written in accordance with the teachings herein, or it may be more convenient to construct a more specialized apparatus to perform the required operations. - A module, an application, a layer, an agent or other method-operable entity could be implemented as hardware, firmware, or a processor executing software, or combinations thereof. It should be appreciated that, where a software-based embodiment is disclosed herein, the software can be embodied in a physical machine such as a controller. For example, a controller could include a first module and a second module. A controller could be configured to perform various actions, e.g., of a method, an application, a layer or an agent.
- The embodiments can also be embodied as computer readable code on a tangible non-transitory computer readable medium. The computer readable medium is any data storage device that can store data, which can be thereafter read by a computer system. Examples of the computer readable medium include hard drives, network attached storage (NAS), read-only memory, random-access memory, CD-ROMs, CD-Rs, CD-RWs, magnetic tapes, and other optical and non-optical data storage devices. The computer readable medium can also be distributed over a network coupled computer system so that the computer readable code is stored and executed in a distributed fashion. Embodiments described herein may be practiced with various computer system configurations including hand-held devices, tablets, microprocessor systems, microprocessor-based or programmable consumer electronics, minicomputers, mainframe computers and the like. The embodiments can also be practiced in distributed computing environments where tasks are performed by remote processing devices that are linked through a wire-based or wireless network.
- Although the method operations were described in a specific order, it should be understood that other operations may be performed in between described operations, described operations may be adjusted so that they occur at slightly different times or the described operations may be distributed in a system which allows the occurrence of the processing operations at various intervals associated with the processing.
- In various embodiments, one or more portions of the methods and mechanisms described herein may form part of a cloud-computing environment. In such embodiments, resources may be provided over the Internet as services according to one or more various models. Such models may include Infrastructure as a Service (laaS), Platform as a Service (PaaS), and Software as a Service (SaaS). In IaaS, computer infrastructure is delivered as a service. In such a case, the computing equipment is generally owned and operated by the service provider. In the PaaS model, software tools and underlying equipment used by developers to develop software solutions may be provided as a service and hosted by the service provider. SaaS typically includes a service provider licensing software as a service on demand. The service provider may host the software, or may deploy the software to a customer for a given period of time. Numerous combinations of the above models are possible and are contemplated.
- Various units, circuits, or other components may be described or claimed as "configured to" or "configurable to" perform a task or tasks. In such contexts, the phrase "configured to" or "configurable to" is used to connote structure by indicating that the units/circuits/components include structure (e.g., circuitry) that performs the task or tasks during operation. As such, the unit/circuit/component can be said to be configured to perform the task, or configurable to perform the task, even when the specified unit/circuit/component is not currently operational (e.g., is not on). The units/circuits/components used with the "configured to" or "configurable to" language include hardware--for example, circuits, memory storing program instructions executable to implement the operation, etc. Reciting that a unit/circuit/component is "configured to" perform one or more tasks, or is "configurable to" perform one or more tasks, is expressly intended not to invoke 35 U.S.C. 112, sixth paragraph, for that unit/circuit/component. Additionally, "configured to" or "configurable to" can include generic structure (e.g., generic circuitry) that is manipulated by software and/or firmware (e.g., an FPGA or a general-purpose processor executing software)
to operate in manner that is capable of performing the task(s) at issue. "Configured to" may also include adapting a manufacturing process (e.g., a semiconductor fabrication facility) to fabricate devices (e.g., integrated circuits) that are adapted to implement or perform one or more tasks. "Configurable to" is expressly intended not to apply to blank media, an unprogrammed processor or unprogrammed generic computer, or an unprogrammed programmable logic device, programmable gate array, or other unprogrammed device, unlessaccompanied by programmed media that confers the ability to the unprogrammed device to be configured to perform the disclosed function(s). - The foregoing description, for the purpose of explanation, has been described with reference to specific embodiments. However, the illustrative discussions above are not intended to be exhaustive or to limit the invention to the precise forms disclosed. Many modifications and variations are possible in view of the above teachings. The embodiments were chosen and described in order to best explain the principles of the embodiments and its practical applications, to thereby enable others skilled in the art to best utilize the embodiments and various modifications as may be suited to the particular use contemplated. Accordingly, the present embodiments are to be considered as illustrative and not restrictive, and the invention is not to be limited to the details given herein, but may be modified within the scope and equivalents of the appended claims.
Claims (15)
- A processor-based method for cryptographic material management, comprising:receiving from a client device (142) coupled through a network (102) to a computing device (104), into said computing device, through an application programming interface (API) of the computing device, a designation of which of a plurality of key-producing cloud services (128) or key-producing platforms (134) sources generates eachof a plurality of keys and which of a plurality of key-consuming cloud service providers (130) or key-consuming platforms (138) uses each of the plurality of keys for encrypting or decrypting data;directing, from the computing device through a first plurality of end modules (106) each interfaced to a specific API of a specific one of the plurality of key-producing cloud services or key-producing platforms, based on the received designation, production of one or more of the plurality of keys;directing, from the computing device through a second plurality of end modules (108) each interfaced to a specific API of a specific one of the plurality of key-consuming cloud service providers or key-consuming platforms, based on the received designation, usage of one or more of the plurality of keys;assigning names to resources imported from the plurality of key-producing cloud services or key-producing platforms and the plurality of key-consuming cloud service providers or key-consuming platforms to the API of the computing device; andmapping, in a data structure (114) in the computing device, key production, key usage and key ownership according to the assigned name of said resources.
- The method of claim 1, further comprising:
coordinating, from the computing device, key wrapping among the plurality of key-producing cloud services or key-producing platforms. - The method of claim 1, further comprising:
coordinating, from the computing device, transfer of one of the plurality of keys from one of the plurality of key-producing cloud services or key-producing platforms to one of the plurality of key-consuming cloud service providers or key-consuming platforms, through corresponding end modules and APIs. - The method of claim 3, further comprising:
reporting to the client device through said application programming interface a status and a summary related to said transfer. - The method of claim 1, further comprising:interfacing to an API of a key management service; andenforcing one or more policies through the key management service.
- The method of claim 1, further comprising:
managing, from the computing device, authentication for key production, key usage and key ownership. - A tangible, non-transitory, computer-readable media having instructions thereupon which, when executed by a processor, cause the processor to perform a method comprising:receiving from a client device (142) coupled through a network (102) to a computing device (104), into said computing device, through an application programming interface (API) of the computing device, an indication of which of a plurality of keys is produced by each of a plurality of key-producing cloud services (128) or key-producing platforms (134) and which of the plurality of keys is used by each of a plurality of key-consuming cloud service providers (130) or key-consuming platforms (138) to encrypt or decrypt data;directing, from the computing device through a first plurality of end modules (106) each interfaced to a specific API of a specific one of the plurality of key-producing cloud services or key-producing platforms, based on the received designation, production of one or more of the plurality of keys in accordance with the received indication;directing, from the computing device through a second plurality of end modules (108) each interfaced to a specific API of a specific one of the plurality of key-consuming cloud service providers or key-consuming platforms, based on the received designation, usage of one or more of the plurality of keys in accordance with the received indication;assigning names to resources imported from the plurality of key-producing cloud services or key-producing platforms and the plurality of key-consuming cloud service providers or key-consuming platforms to the API of the computing device; andmapping, in a data structure (114) in the computing device, key production, key usage and key ownership according to the assigned name of said resources.
- The computer-readable media of claim 7, wherein the method further comprises:
coordinating, from the computing device, key wrapping among the plurality of key-producing cloud services or key-producing platforms. - The computer-readable media of claim 7, wherein the method further comprises at least one of a) and b):a) interfacing to an API of a key management service; and
enforcing one or more policies through the key management service;b) managing, from the computing device, authentication for key production, key usage and key ownership. - A cryptographic material management system, comprising:a server (104), having physical computing resources or virtualized using physical computing resources, configurable to present an application programming interface (API) that supports reception, from a client device (142) coupled through a network (102) to the server, of user designation of which of a plurality of key-producing cloud services (128) or key-producing platforms (134) generates each of a plurality of keys and which of a plurality of key-consuming cloud service providers (130) or key-consuming platforms (138) uses each of the plurality of keys for encrypting or decrypting data;the server having a first plurality of end modules (106) each configurable to interface to a specific API of a specific one of the plurality of key-producing cloud services or key-producing platforms to direct production of one or more of the plurality of keys based on the user designation;the server having a second plurality of end modules (108) each configurable to interface to a specific API of a specific one of the plurality of key-consuming cloud service providers or key-consuming platforms to direct usage of one or more of the plurality of keys based on the user designation;the server being configured to assign names to resources imported from the plurality of key-producing cloud services or key-producing platforms and the plurality of key-consuming cloud service providers or key-consuming platforms to the API of the server; andthe server having a data structure (114) and being configured to map, in said data structure, key production, key usage and key ownership according to the assigned name of said resources.
- The cryptographic material management system of claim 10, further comprising:
the server configurable to coordinate key wrapping among the plurality of key-producing cloud services or key-producing platforms. - The cryptographic material management system of claim 10, further comprising:
the server configurable to represent the key production, key usage and key ownership through the API of the server in accordance with the data structure. - The cryptographic material management system of claim 10, further comprising:the server configurable to manage and consult a plurality of policies regarding key production, key usage and key ownership; andthe server configurable to interface to an API of a key management service and enforce at least one of the plurality of policies through the key management service.
- The cryptographic material management system of claim 10, further comprising:
the server configurable to manage authentication for key production, key usage and key ownership, through corresponding APIs. - The cryptographic material management system of claim 10, wherein said resources include at least one of keys, wrapped keys, key transfers, encryption services or cloud services.
Applications Claiming Priority (3)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US201762458269P | 2017-02-13 | 2017-02-13 | |
US15/472,065 US10547598B2 (en) | 2017-02-13 | 2017-03-28 | Abstracted cryptographic material management across multiple service providers |
PCT/US2018/017490 WO2018148459A1 (en) | 2017-02-13 | 2018-02-08 | Abstracted cryptographic material management across multiple service providers |
Publications (3)
Publication Number | Publication Date |
---|---|
EP3580688A1 EP3580688A1 (en) | 2019-12-18 |
EP3580688A4 EP3580688A4 (en) | 2020-12-16 |
EP3580688B1 true EP3580688B1 (en) | 2022-12-07 |
Family
ID=63105598
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
EP18750612.6A Active EP3580688B1 (en) | 2017-02-13 | 2018-02-08 | Abstracted cryptographic material management across multiple service providers |
Country Status (5)
Country | Link |
---|---|
US (1) | US10547598B2 (en) |
EP (1) | EP3580688B1 (en) |
CA (1) | CA3053467C (en) |
ES (1) | ES2936830T3 (en) |
WO (1) | WO2018148459A1 (en) |
Families Citing this family (15)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US9015281B2 (en) * | 2010-10-08 | 2015-04-21 | Brian Lee Moffat | Private data sharing system |
EA035011B1 (en) | 2013-10-07 | 2020-04-16 | ФОРНЕТИКС ЭлЭлСи | Method for encryption key management, federation and distribution |
US10630686B2 (en) | 2015-03-12 | 2020-04-21 | Fornetix Llc | Systems and methods for organizing devices in a policy hierarchy |
US10965459B2 (en) | 2015-03-13 | 2021-03-30 | Fornetix Llc | Server-client key escrow for applied key management system and process |
US10917239B2 (en) | 2016-02-26 | 2021-02-09 | Fornetix Llc | Policy-enabled encryption keys having ephemeral policies |
US10860086B2 (en) | 2016-02-26 | 2020-12-08 | Fornetix Llc | Policy-enabled encryption keys having complex logical operations |
US11063980B2 (en) | 2016-02-26 | 2021-07-13 | Fornetix Llc | System and method for associating encryption key management policy with device activity |
US10880281B2 (en) | 2016-02-26 | 2020-12-29 | Fornetix Llc | Structure of policies for evaluating key attributes of encryption keys |
US10931653B2 (en) | 2016-02-26 | 2021-02-23 | Fornetix Llc | System and method for hierarchy manipulation in an encryption key management system |
US10713077B2 (en) | 2017-01-26 | 2020-07-14 | Semper Fortis Solutions, LLC | Multiple single levels of security (MSLS) in a multi-tenant cloud |
US10972445B2 (en) * | 2017-11-01 | 2021-04-06 | Citrix Systems, Inc. | Dynamic crypto key management for mobility in a cloud environment |
JP6408180B1 (en) * | 2018-03-20 | 2018-10-17 | ヤフー株式会社 | Terminal control program, terminal device, and terminal control method |
US11765142B1 (en) | 2022-08-08 | 2023-09-19 | International Business Machines Corporation | Distribution of private session key to network communication device for secured communications |
US11924179B2 (en) * | 2022-08-08 | 2024-03-05 | International Business Machines Corporation | API based distribution of private session key to network communication device for secured communications |
US11916890B1 (en) * | 2022-08-08 | 2024-02-27 | International Business Machines Corporation | Distribution of a cryptographic service provided private session key to network communication device for secured communications |
Family Cites Families (23)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6195751B1 (en) * | 1998-01-20 | 2001-02-27 | Sun Microsystems, Inc. | Efficient, secure multicasting with minimal knowledge |
US6553493B1 (en) * | 1998-04-28 | 2003-04-22 | Verisign, Inc. | Secure mapping and aliasing of private keys used in public key cryptography |
US7509492B2 (en) * | 2001-03-27 | 2009-03-24 | Microsoft Corporation | Distributed scalable cryptographic access control |
US7590844B1 (en) * | 2002-04-26 | 2009-09-15 | Mcafee, Inc. | Decryption system and method for network analyzers and security programs |
US8116456B2 (en) * | 2006-11-28 | 2012-02-14 | Oracle International Corporation | Techniques for managing heterogeneous key stores |
US8831992B2 (en) * | 2007-12-13 | 2014-09-09 | Symantec Corporation | Apparatus and method for facilitating cryptographic key management services |
US8311225B2 (en) * | 2009-08-17 | 2012-11-13 | Brocade Communications Systems, Inc. | Scalable key archival |
US8190675B2 (en) * | 2010-02-11 | 2012-05-29 | Inditto, Llc | Method and system for providing access to remotely hosted services through a normalized application programming interface |
US20140297535A1 (en) * | 2011-04-26 | 2014-10-02 | Docupace Technologies, Inc. | System and Method for Compliant Integrated Workflow |
US9077773B2 (en) * | 2011-11-17 | 2015-07-07 | Mashape, Inc. | Cloud-based hub for facilitating distribution and consumption of application programming interfaces |
US9756022B2 (en) * | 2014-08-29 | 2017-09-05 | Box, Inc. | Enhanced remote key management for an enterprise in a cloud-based environment |
US20140122875A1 (en) * | 2012-10-31 | 2014-05-01 | Ubs Ag | Container-based management at a user device |
US10044808B2 (en) * | 2012-12-20 | 2018-08-07 | Software Ag Usa, Inc. | Heterogeneous cloud-store provider access systems, and/or associated methods |
US9832205B2 (en) * | 2013-03-15 | 2017-11-28 | International Business Machines Corporation | Cross provider security management functionality within a cloud service brokerage platform |
US20140344570A1 (en) * | 2013-05-20 | 2014-11-20 | Microsoft Corporation | Data Protection For Organizations On Computing Devices |
US9553720B2 (en) * | 2013-12-23 | 2017-01-24 | International Business Machines Corporation | Using key material protocol services transparently |
US9864874B1 (en) * | 2014-05-21 | 2018-01-09 | Amazon Technologies, Inc. | Management of encrypted data storage |
US9560037B2 (en) * | 2014-06-19 | 2017-01-31 | Microsoft Technology Licensing, Llc | Integrated APIs and UIs for consuming services across different distributed networks |
US9413735B1 (en) * | 2015-01-20 | 2016-08-09 | Ca, Inc. | Managing distribution and retrieval of security key fragments among proxy storage devices |
US10630686B2 (en) | 2015-03-12 | 2020-04-21 | Fornetix Llc | Systems and methods for organizing devices in a policy hierarchy |
US11195216B2 (en) * | 2015-07-31 | 2021-12-07 | Ent. Services Development Corporation Lp | Federated marketplace portal |
US10878517B2 (en) * | 2016-10-24 | 2020-12-29 | Adobe Inc. | Combined interaction monitoring for media content groups on social media services |
US10298635B2 (en) * | 2016-12-19 | 2019-05-21 | Ricoh Company, Ltd. | Approach for accessing third-party content collaboration services on interactive whiteboard appliances using a wrapper application program interface |
-
2017
- 2017-03-28 US US15/472,065 patent/US10547598B2/en active Active
-
2018
- 2018-02-08 CA CA3053467A patent/CA3053467C/en active Active
- 2018-02-08 WO PCT/US2018/017490 patent/WO2018148459A1/en unknown
- 2018-02-08 ES ES18750612T patent/ES2936830T3/en active Active
- 2018-02-08 EP EP18750612.6A patent/EP3580688B1/en active Active
Also Published As
Publication number | Publication date |
---|---|
CA3053467A1 (en) | 2018-08-16 |
WO2018148459A1 (en) | 2018-08-16 |
US20180234401A1 (en) | 2018-08-16 |
EP3580688A1 (en) | 2019-12-18 |
EP3580688A4 (en) | 2020-12-16 |
ES2936830T3 (en) | 2023-03-22 |
US10547598B2 (en) | 2020-01-28 |
CA3053467C (en) | 2023-08-08 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
EP3580688B1 (en) | Abstracted cryptographic material management across multiple service providers | |
EP3210156B1 (en) | Access control for data blocks in a distributed filesystem | |
US10523645B2 (en) | Method and system for protecting user data using individualized keys to enable secure compartmentalized data backup/restore | |
EP3269117B1 (en) | Secure and control data migrating between enterprise and cloud services | |
US10212190B2 (en) | Context-based cloud security assurance system | |
US20160173502A1 (en) | Jurisdictional cloud data access | |
US8401973B1 (en) | Method and system for managing a license for an add-on software component | |
US11455429B2 (en) | Container-based cryptography hardware security module management | |
US10366227B2 (en) | Secure debugging in a trustable computing environment | |
TWI808749B (en) | Computer program product, computer system and computer-implemented method for secure guest imaging and metadata updating | |
US20200004969A1 (en) | Secure operations on encrypted data | |
US10489808B1 (en) | Policies based on combinations of atomic constraints | |
US20230037986A1 (en) | Autoencryption system for data in a container |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
STAA | Information on the status of an ep patent application or granted ep patent |
Free format text: STATUS: THE INTERNATIONAL PUBLICATION HAS BEEN MADE |
|
PUAI | Public reference made under article 153(3) epc to a published international application that has entered the european phase |
Free format text: ORIGINAL CODE: 0009012 |
|
STAA | Information on the status of an ep patent application or granted ep patent |
Free format text: STATUS: REQUEST FOR EXAMINATION WAS MADE |
|
17P | Request for examination filed |
Effective date: 20190912 |
|
AK | Designated contracting states |
Kind code of ref document: A1 Designated state(s): AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR |
|
AX | Request for extension of the european patent |
Extension state: BA ME |
|
DAV | Request for validation of the european patent (deleted) | ||
DAX | Request for extension of the european patent (deleted) | ||
RAP1 | Party data changed (applicant data changed or rights of an application transferred) |
Owner name: THALES DIS CPL USA, INC. |
|
A4 | Supplementary search report drawn up and despatched |
Effective date: 20201113 |
|
RIC1 | Information provided on ipc code assigned before grant |
Ipc: H04L 9/08 20060101ALI20201109BHEP Ipc: H04L 9/14 20060101ALI20201109BHEP Ipc: H04W 12/04 20090101ALI20201109BHEP Ipc: H04L 29/08 20060101ALI20201109BHEP Ipc: H04L 29/06 20060101AFI20201109BHEP Ipc: H04W 12/00 20090101ALI20201109BHEP |
|
REG | Reference to a national code |
Ref country code: DE Ref legal event code: R079 Ref document number: 602018043978 Country of ref document: DE Free format text: PREVIOUS MAIN CLASS: G06F0021620000 Ipc: H04L0009400000 |
|
GRAP | Despatch of communication of intention to grant a patent |
Free format text: ORIGINAL CODE: EPIDOSNIGR1 |
|
STAA | Information on the status of an ep patent application or granted ep patent |
Free format text: STATUS: GRANT OF PATENT IS INTENDED |
|
RAP3 | Party data changed (applicant data changed or rights of an application transferred) |
Owner name: THALES DIS CPL USA, INC. |
|
RIC1 | Information provided on ipc code assigned before grant |
Ipc: H04L 9/14 20060101ALI20220620BHEP Ipc: H04L 9/08 20060101ALI20220620BHEP Ipc: H04W 12/0433 20210101ALI20220620BHEP Ipc: H04W 12/0431 20210101ALI20220620BHEP Ipc: H04L 9/40 20220101AFI20220620BHEP |
|
INTG | Intention to grant announced |
Effective date: 20220706 |
|
GRAS | Grant fee paid |
Free format text: ORIGINAL CODE: EPIDOSNIGR3 |
|
GRAA | (expected) grant |
Free format text: ORIGINAL CODE: 0009210 |
|
STAA | Information on the status of an ep patent application or granted ep patent |
Free format text: STATUS: THE PATENT HAS BEEN GRANTED |
|
AK | Designated contracting states |
Kind code of ref document: B1 Designated state(s): AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR |
|
REG | Reference to a national code |
Ref country code: GB Ref legal event code: FG4D |
|
REG | Reference to a national code |
Ref country code: CH Ref legal event code: EP Ref country code: AT Ref legal event code: REF Ref document number: 1536972 Country of ref document: AT Kind code of ref document: T Effective date: 20221215 |
|
REG | Reference to a national code |
Ref country code: DE Ref legal event code: R096 Ref document number: 602018043978 Country of ref document: DE |
|
REG | Reference to a national code |
Ref country code: IE Ref legal event code: FG4D |
|
REG | Reference to a national code |
Ref country code: NL Ref legal event code: FP |
|
REG | Reference to a national code |
Ref country code: ES Ref legal event code: FG2A Ref document number: 2936830 Country of ref document: ES Kind code of ref document: T3 Effective date: 20230322 |
|
REG | Reference to a national code |
Ref country code: LT Ref legal event code: MG9D |
|
PG25 | Lapsed in a contracting state [announced via postgrant information from national office to epo] |
Ref country code: SE Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20221207 Ref country code: NO Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20230307 Ref country code: LT Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20221207 Ref country code: FI Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20221207 |
|
REG | Reference to a national code |
Ref country code: AT Ref legal event code: MK05 Ref document number: 1536972 Country of ref document: AT Kind code of ref document: T Effective date: 20221207 |
|
PG25 | Lapsed in a contracting state [announced via postgrant information from national office to epo] |
Ref country code: RS Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20221207 Ref country code: PL Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20221207 Ref country code: LV Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20221207 Ref country code: HR Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20221207 Ref country code: GR Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20230308 |
|
P01 | Opt-out of the competence of the unified patent court (upc) registered |
Effective date: 20230427 |
|
P02 | Opt-out of the competence of the unified patent court (upc) changed |
Effective date: 20230522 |
|
PG25 | Lapsed in a contracting state [announced via postgrant information from national office to epo] |
Ref country code: SM Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20221207 Ref country code: RO Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20221207 Ref country code: PT Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20230410 Ref country code: EE Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20221207 Ref country code: CZ Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20221207 Ref country code: AT Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20221207 |
|
PG25 | Lapsed in a contracting state [announced via postgrant information from national office to epo] |
Ref country code: SK Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20221207 Ref country code: IS Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20230407 Ref country code: AL Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20221207 |
|
REG | Reference to a national code |
Ref country code: DE Ref legal event code: R097 Ref document number: 602018043978 Country of ref document: DE |
|
PG25 | Lapsed in a contracting state [announced via postgrant information from national office to epo] |
Ref country code: MC Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20221207 |
|
REG | Reference to a national code |
Ref country code: CH Ref legal event code: PL |
|
PLBE | No opposition filed within time limit |
Free format text: ORIGINAL CODE: 0009261 |
|
STAA | Information on the status of an ep patent application or granted ep patent |
Free format text: STATUS: NO OPPOSITION FILED WITHIN TIME LIMIT |
|
REG | Reference to a national code |
Ref country code: BE Ref legal event code: MM Effective date: 20230228 |
|
PG25 | Lapsed in a contracting state [announced via postgrant information from national office to epo] |
Ref country code: LU Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES Effective date: 20230208 Ref country code: LI Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES Effective date: 20230228 Ref country code: DK Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20221207 Ref country code: CH Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES Effective date: 20230228 |
|
26N | No opposition filed |
Effective date: 20230908 |
|
PG25 | Lapsed in a contracting state [announced via postgrant information from national office to epo] |
Ref country code: SI Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20221207 |
|
REG | Reference to a national code |
Ref country code: IE Ref legal event code: MM4A |
|
PG25 | Lapsed in a contracting state [announced via postgrant information from national office to epo] |
Ref country code: IE Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES Effective date: 20230208 |
|
PG25 | Lapsed in a contracting state [announced via postgrant information from national office to epo] |
Ref country code: BE Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES Effective date: 20230228 |
|
PGFP | Annual fee paid to national office [announced via postgrant information from national office to epo] |
Ref country code: NL Payment date: 20240123 Year of fee payment: 7 |
|
PGFP | Annual fee paid to national office [announced via postgrant information from national office to epo] |
Ref country code: ES Payment date: 20240301 Year of fee payment: 7 |
|
PGFP | Annual fee paid to national office [announced via postgrant information from national office to epo] |
Ref country code: DE Payment date: 20240123 Year of fee payment: 7 Ref country code: GB Payment date: 20240123 Year of fee payment: 7 |
|
PGFP | Annual fee paid to national office [announced via postgrant information from national office to epo] |
Ref country code: IT Payment date: 20240123 Year of fee payment: 7 Ref country code: FR Payment date: 20240123 Year of fee payment: 7 |